Pipe requests to public endpoints through EnsurePublicOrAuthenticatedPlug

diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
index 80af0afe17f8011f651bf9fae252314b60450921..7fef82f82a3eb613d37e6b63d321155b91fe5079 100644 (file)
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@@ -84,11 +84,13 @@ defmodule Pleroma.Web.Router do
     plug(Pleroma.Plugs.EnsureUserKeyPlug)
   end
 
-  pipeline :oauth_read_or_unauthenticated do
+  pipeline :oauth_read_or_public do
     plug(Pleroma.Plugs.OAuthScopesPlug, %{
       scopes: ["read"],
       fallback: :proceed_unauthenticated
     })
+
+    plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
   end
 
   pipeline :oauth_read do
@@ -404,7 +406,7 @@ defmodule Pleroma.Web.Router do
     get("/accounts/search", MastodonAPIController, :account_search)
 
     scope [] do
-      pipe_through(:oauth_read_or_unauthenticated)
+      pipe_through(:oauth_read_or_public)
 
       get("/timelines/public", MastodonAPIController, :public_timeline)
       get("/timelines/tag/:tag", MastodonAPIController, :hashtag_timeline)
@@ -425,7 +427,7 @@ defmodule Pleroma.Web.Router do
   end
 
   scope "/api/v2", Pleroma.Web.MastodonAPI do
-    pipe_through([:api, :oauth_read_or_unauthenticated])
+    pipe_through([:api, :oauth_read_or_public])
     get("/search", MastodonAPIController, :search2)
   end
 
@@ -455,7 +457,7 @@ defmodule Pleroma.Web.Router do
     )
 
     scope [] do
-      pipe_through(:oauth_read_or_unauthenticated)
+      pipe_through(:oauth_read_or_public)
 
       get("/statuses/user_timeline", TwitterAPI.Controller, :user_timeline)
       get("/qvitter/statuses/user_timeline", TwitterAPI.Controller, :user_timeline)
@@ -473,7 +475,7 @@ defmodule Pleroma.Web.Router do
   end
 
   scope "/api", Pleroma.Web do
-    pipe_through([:api, :oauth_read_or_unauthenticated])
+    pipe_through([:api, :oauth_read_or_public])
 
     get("/statuses/public_timeline", TwitterAPI.Controller, :public_timeline)
 
@@ -487,7 +489,7 @@ defmodule Pleroma.Web.Router do
   end
 
   scope "/api", Pleroma.Web, as: :twitter_api_search do
-    pipe_through([:api, :oauth_read_or_unauthenticated])
+    pipe_through([:api, :oauth_read_or_public])
     get("/pleroma/search_user", TwitterAPI.Controller, :search_user)
   end
 
@@ -671,7 +673,7 @@ defmodule Pleroma.Web.Router do
     delete("/auth/sign_out", MastodonAPIController, :logout)
 
     scope [] do
-      pipe_through(:oauth_read_or_unauthenticated)
+      pipe_through(:oauth_read_or_public)
       get("/web/*path", MastodonAPIController, :index)
     end
   end

diff --git a/test/web/mastodon_api/mastodon_api_controller_test.exs b/test/web/mastodon_api/mastodon_api_controller_test.exs
index 5c79ee633f8e9e8bcdaecf8647fb9213f9d5d5b0..40e7739e71a03bd03114473bb7d8150fe4e529f2 100644 (file)
--- a/test/web/mastodon_api/mastodon_api_controller_test.exs
+++ b/test/web/mastodon_api/mastodon_api_controller_test.exs
@@ -81,6 +81,19 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
     end)
   end
 
+  test "the public timeline when public is set to false", %{conn: conn} do
+    public = Pleroma.Config.get([:instance, :public])
+    Pleroma.Config.put([:instance, :public], false)
+
+    on_exit(fn ->
+      Pleroma.Config.put([:instance, :public], public)
+    end)
+
+    assert conn
+           |> get("/api/v1/timelines/public", %{"local" => "False"})
+           |> json_response(403) == %{"error" => "This resource requires authentication."}
+  end
+
   test "posting a status", %{conn: conn} do
     user = insert(:user)